iiNet has stuck its objections to mandatory data retention to the man today, telling a Senate Inquiry just how infeasible the concept of mandatory data retention would be, both from security, privacy, technological and financial standpoints.
So what are the issues?
Data retention is a scheme that fundamentally compromises the privacy of users for no reason...
Proposed amendments to the Telecommunications Interception Act were discussed at a Senate Hearing today, with discussion from iiNet's Steve Dalby centring around objections to collecting, storing and giving up access to customer metadata. The data would be used at a later date by law enforcement agency to help solve crimes. Essentially, it's gathering up a whole haystack of data presuming that there'll be a needle in there you might need to find later, to coin an old Dalby-ism. It's no secret that the ISP objects to such a regime.
...by scooping up a whole bunch of unnecessary information in the process.
Dalby has previously said that the retention of metadata generated by user devices collects sensitive information that law enforcement agencies has no need for.
"The data collected can be incredibly sensitive – it can reveal who your friends are, where you go and what websites you visit. Indeed, it may even tell more than the content of a phone call or an email. Recent research from Stanford University showed that when analysed this data may create a revealing profile of a person’s life including medical conditions, political and religious views, friends and associations. Police say “If you have nothing to hide, then you shouldn’t be worried”. Personally I think that if you follow that dubious logic, we’d all be walking around naked. It’s not about being worried, or wanting to ‘hide’ anything. It’s about the right to decide what you keep private and what you allow to be shared. YOU should be the one to make that call, and that decision should stick until a warrant or something similar is issued to law enforcement agencies to seize your information."
He reiterated that today by adding that ISPs don't collect data they don't need for technical and billing purposes:
In its submission to this Inquiry, the Attorney General’s Department asserted:
Service providers routinely engage in telecommunications data retention for their business purposes.
This assertion is overstated. Carriers only collect appropriate data for their businesses. There is a world of difference between the data collected in order to bill a customer for their Internet usage, versus the collection of a mass of data generated by a customer during their sessions on-line. The data generated by telecommunications traffic massively outweighs the data required for ISPs and carriers to run their businesses.
This suggestion from the Attorney General’s Department could be likened to saying, "You are going to the shops to get a litre of milk anyway, and so it’s no big deal to bring me the whole supermarket".
iiNet has no use for surveillance data, so there is no commercial driver to collect a massive volume of data, indexed to individuals, that we’ll never use. In the event that a specific data preservation order is received from law enforcement agencies, special steps are required to retain the information specified in that notice.
Browsing data, posts to RSVP, Twitter, Instagram, Facebook, Weibo or Google+, purchases from iTunes, Netflix, Amazon, eBay, Alibaba, searches via bing, Google, YouTube, Baidu or Yahoo, transactions for on-line banking, ticket purchases, hotels or PayPal are not routinely retained by iiNet for our business purposes. These are private and irrelevant to the provision of our service.
A data retention scheme would see iiNet collect more data than it needs to...
— Steve Dalby (@Steve_Dalby) July 29, 2014
— Steve Dalby (@Steve_Dalby) July 29, 2014
...and that means it will cost users more per month to store...
Fancy paying more for your internet connection just because the government wants to spy on you? According to iiNet's Steve Dalby, that's exactly what will happen under a mandatory data retention scheme that holds your metadata for two years.
Dalby said at today's hearing that any mandatory data retention scheme would see the ISP saddled with an additional cost of $5 per user per month, which would arguably be passed on and charged to customers.
That number stems from the storage costs of data collected, which would cost $100 million in the first two years and double after that due to the explosion of data on the internet.
...while also putting a user's security at risk.
And as long as data just sits in a data centre waiting to be analysed by law enforcement, it can arguably be accessed by enterprising hackers. Quoting the Victorian Police Commissioner:
"Retaining the data would create a massive security risk if an ISP suffers a breach of security, including a significant risk of identity theft. The immense amount of data would also create an incentive for hackers to view ISPs as a target."
And indeed we've already seen how old data just sitting on servers can be hacked with the recent leak of AAPT customer details. To demonstrate the rocky nature of data security when at rest, Anonymous held a demonstration and hacked an AAPT server full of customer details to protest any data retention scheme.
For those reasons and more, iiNet objects to data retention.
"iiNet does not agree that it should accept the role proposed by those calling for an onerous data retention regime. If we are ultimately compelled by law to collect such data, the government must be responsible for its storage and protection," the company wrote in its submission.
Read iiNet's full submission here.